Lucene search
K

79 matches found

ATTACKERKB
ATTACKERKB
added 2026/05/20 1:35 p.m.13 views

CVE-2026-47068

Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenixstorybook allows cross-session PubSub topic injection via a URL query parameter. 'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handleparams/3 in lib/phoenixstorybook/live/story/componentiframelive.ex read...

2.3CVSS5.8AI score0.00449EPSS
Exploits0References5Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/20 1:35 p.m.8 views

CVE-2026-47068 Cross-session PubSub topic injection via URL parameter in phoenix_storybook

Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenixstorybook allows cross-session PubSub topic injection via a URL query parameter. 'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handleparams/3 in lib/phoenixstorybook/live/story/componentiframelive.ex read...

2.3CVSS5.8AI score0.00449EPSS
Exploits0References4
CVE
CVE
added 2026/05/20 1:35 p.m.31 views

CVE-2026-47068

The vulnerability is an Authorization Bypass in phoenix_storybook: Elixir.PhoenixStorybook.Story.ComponentIframeLive reads topic from params and broadcasts the iframe process PID on that PubSub topic without verifying session ownership, enabling cross-session topic injection. An attacker can load...

2.3CVSS5.8AI score0.00449EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/05/20 12:0 a.m.9 views

Keycloak 安全漏洞

Keycloak is an open-source identity and access management solution developed by Keycloak. Keycloak has a security vulnerability that stems from cross-session verification proofs, which rely solely on local user IDs and IdP aliases without binding actual verified upstream identities. This...

6.4CVSS5.8AI score0.00312EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/20 12:0 a.m.12 views

PT-2026-42199

Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists where the cross-session verification proof is keyed only by the userId and idpAlias and is not bound to the upstream identity that was actually verified. This allows a second...

8.1CVSS5.1AI score0.00312EPSS
Exploits0References14
Packet Storm News
Packet Storm News
added 2026/04/27 12:0 a.m.8 views

Poster: ClawdGo: Endogenous Security Awareness Training for Autonomous AI Agents

Autonomous AI agents deployed on platforms such as OpenClaw face prompt injection, memory poisoning, supply-chain attacks, and social engineering, yet existing defences address only the platform perimeter, leaving the agent's own threat judgement entirely untrained. We present ClawdGo, a framewor...

5.4AI score
Exploits0
ATTACKERKB
ATTACKERKB
added 2026/04/09 9:27 p.m.3 views

CVE-2026-35636

OpenClaw versions 2026.3.11 through 2026.3.24 contain a session isolation bypass vulnerability where sessionstatus resolves sessionId to canonical session keys before enforcing visibility checks. Sandboxed child sessions can exploit this to access parent or sibling sessions that should be blocked...

7.1CVSS5.9AI score0.00259EPSS
Exploits0References4Affected Software1
Spring Security Advisories
Spring Security Advisories
added 2026/04/07 12:0 a.m.6 views

Spring AI Agentic Patterns (Part 6): AutoMemoryTools — Persistent Agent Memory Across Sessions

File-Based Long-Term Memory for Spring AI Agents Agents are only as useful as what they remember. Spring AI's Chat Memory stores the full conversation and can persist it across restarts, but when the window fills, the oldest messages are evicted. The upcoming Session API will add recursive...

6.1AI score
Exploits0
Packet Storm News
Packet Storm News
added 2026/04/02 12:0 a.m.167 views

Poison Once, Exploit Forever: Environment-Injected Memory Poisoning Attacks on Web Agents

Memory makes LLM-based web agents personalized, powerful, yet exploitable. By storing past interactions to personalize future tasks, agents inadvertently create a persistent attack surface that spans websites and sessions. While existing security research on memory assumes attackers can directly...

5.8AI score
Exploits0
RedhatCVE
RedhatCVE
added 2026/03/31 4:59 a.m.5 views

CVE-2026-29872

A cross-session information disclosure vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9877fab52acacf7ab8251 2026-01-19. The affected Streamlit-based GitHub MCP Agent stores user-supplied API tokens in process-wide environment variables using os.environ without...

8.2CVSS5.9AI score0.00253EPSS
Exploits1References1
EUVD
EUVD
added 2026/03/30 6:31 p.m.3 views

EUVD-2026-17141

A cross-session information disclosure vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9877fab52acacf7ab8251 2026-01-19. The affected Streamlit-based GitHub MCP Agent stores user-supplied API tokens in process-wide environment variables using os.environ without...

8.2CVSS5.9AI score0.00253EPSS
Exploits1References2
NVD
NVD
added 2026/03/30 6:16 p.m.11 views

CVE-2026-29872

A cross-session information disclosure vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9877fab52acacf7ab8251 2026-01-19. The affected Streamlit-based GitHub MCP Agent stores user-supplied API tokens in process-wide environment variables using os.environ without...

8.2CVSS0.00253EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/03/30 12:0 a.m.2 views

CVE-2026-29872

A cross-session information disclosure vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9877fab52acacf7ab8251 2026-01-19. The affected Streamlit-based GitHub MCP Agent stores user-supplied API tokens in process-wide environment variables using os.environ without...

8.2CVSS5.9AI score0.00253EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/03/30 12:0 a.m.18 views

CVE-2026-29872

A cross-session information disclosure vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9877fab52acacf7ab8251 2026-01-19. The affected Streamlit-based GitHub MCP Agent stores user-supplied API tokens in process-wide environment variables using os.environ without...

0.00253EPSS
Exploits1References1
CVE
CVE
added 2026/03/30 12:0 a.m.9 views

CVE-2026-29872

The CVE-2026-29872 issue affects the awesome-llm-apps project, specifically a Streamlit-based GitHub MCP Agent. The underlying problem is storing user-provided API tokens in process-wide environment variables via os.environ without proper session isolation, allowing cross-session information disc...

8.2CVSS5.9AI score0.00253EPSS
Exploits1References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/30 12:0 a.m.7 views

CVE-2026-29872

A cross-session information disclosure vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9877fab52acacf7ab8251 2026-01-19. The affected Streamlit-based GitHub MCP Agent stores user-supplied API tokens in process-wide environment variables using os.environ without...

5.9AI score0.00253EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/03/30 12:0 a.m.7 views

PT-2026-29084

Name of the Vulnerable Software and Affected Versions awesome-llm-apps versions prior to commit e46690f99c3f08be80a9877fab52acacf7ab8251 Description A cross-session information disclosure issue exists in the awesome-llm-apps project. The Streamlit-based GitHub MCP Agent stores user-supplied API...

8.2CVSS5.9AI score0.00253EPSS
Exploits1References5
CNNVD
CNNVD
added 2026/03/30 12:0 a.m.9 views

Awesome LLM Apps 安全漏洞

Awesome LLM Apps is a collection of large language model applications personally developed by Shubham Saboo. Awesome LLM Apps contains security vulnerabilities, which stem from improper isolation of session-specific environment variables, potentially leading to cross-session information leaks...

8.2CVSS5.8AI score0.00253EPSS
Exploits1References2
OSV
OSV
added 2026/03/07 3:30 p.m.9 views

CVE-2026-29784 Ghost: Incomplete CSRF protections around OTC use

Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost...

7.5CVSS5.7AI score0.00157EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/03/07 3:30 p.m.3 views

CVE-2026-29784 Ghost: Incomplete CSRF protections around OTC use

Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost...

7.5CVSS5.7AI score0.00157EPSS
Exploits0References2
Rows per page
Query Builder